HTML holes exposed sensitive data for “private” Steam user accounts

Valve pushes out fix after Ars brings security hole to its attention.

Valve has remedied a major potential privacy issue with the Steam Community website after it was brought to the company's attention by Ars. The flaw allowed anyone to view game purchase history, achievement history, recent play time, and more—even for Steam users that had set their profiles to private.

I recently discovered the privacy hole when fiddling with Steam's profile settings and examining the source code behind the site. Since the problem exposed potentially sensitive data about Steam users, the examples cited in this article will primarily be from my personal profile. That said, we independently confirmed that the privacy hole applied to any profile that was set to "Private" or "Friends only." Many such profiles could be easily discovered using Google without prior knowledge of the user's Steam ID number or name.

Out of respect for the privacy of Steam's more than 50 million users, we did not immediately publish our discovery of this privacy hole. Instead, we documented the problem and notified Valve of the issue late on Monday evening. Within three hours of sending our message, our spot checks showed that the problem appeared to be remedied.

Despite apparently fixing the issue, Valve has not officially commented on the matter, or even acknowledged that it was made aware of the problem. This lack of response would likely not be appreciated by security researchers and users, and the company's silence may discourage future "private disclosure" of security flaws. Cooperation with users and security researchers is standard from companies like Microsoft and Google and is crucial to ensure software and services are as secure as they can be.

The hole

If you went to my Steam community profile page before Monday, it would correctly show my profile as private (as it still does). You would get the same message if you tried to force the website to show a list of my Steam games, by adding "/games/?tab=all" to the end of the URL (e.g., http://steamcommunity.com/id/KyleOrl/games/?tab=all).

Viewing the HTML source code of that page, however, revealed a good deal of data that Steam users might want to keep private. Anyone looking at the source of this page could get a complete and apparently accurate list of every game in any private Steam library through a plaintext JavaScript definition for an array named rgGames[].

As you can see in the screenshot below and in this complete PasteBin copy of the source taken before the hole was fixed, this list is relatively human-readable, despite a lot of JavaScript cruft surrounding it. Fortunately, other data that is usually included in public user profiles, such as total playtime for each game, seems to have been suppressed in private profiles.

Enlarge/ The source code for my "private" game page, as accessed before Monday, with the relevant game names highlighted.

The potential for privacy breaches continue from there. Using the revealed list of games and a minor amount of URL modification, anyone could expose a private Steam user's Achievement page for the game in question. To access this page for Portal 2, for instance, you would simply add "stats/Portal2/?tab=achievements" to the end of a user's standard profile URL (i.e. http://steamcommunity.com/id/KyleOrl/stats/Portal2/?tab=achievements). This page is usually not publicly linked for users whose Steam profiles are set to private, and relying on security through obscurity proved insufficient.

Enlarge/ My "private" Portal 2 achievements page showed when I played the game and how much I played it recently.

Aside from revealing gameplay details to some extent, the Achievements page also exposes precisely when those Achievements were earned, and consequently some information about when the Steam user was playing that game. This could be considered sensitive information, especially for a Steam user that had gone to the trouble of setting their profile to Private. The Achievements pages also reveal how much the user has been playing each game in the last two weeks.

For games that track multiplayer stats, a bit of URL work can also reveal a complete history of a private user's online records, favorite characters, and more. The below example shows such data for a private player of Payday: The Heist, whose name has been blurred out for privacy reasons.

Enlarge/ The multiplayer Payday: The Heist stats for a private user, before the hole was fixed.

Furthermore, the same basic method can be used to expose a private user's Badge page, by simply adding "/badges/" to the end of a private user page URL. This page easily showed the world roughly when the private Steam account was created, and it could also reveal incidental information such as whether the account is linked to Facebook or if there are any friends associated with the account.

Now that the privacy hole has been plugged, Steam users need not take any additional action to protect their sensitive data (though concerned users should check their Steam settings to ensure that their profile is set to Private, if they don't want their information publicly viewable). Trying any of the URL modifications mentioned above for a private account now redirects a visitor harmlessly to the Steam user's main profile page, which simply states, "This profile is private" (and contains no additional relevant information hidden in the HTML).

Given the obscurity of the issue and the relatively small proportion of Steam users that use Private profiles, it's unlikely anyone's data was seriously compromised by the oversight. Still, the whole affair goes to show that options to opt out of sharing features for some social networks may not be as airtight as they seem.

Maybe I missed something, but I don't see anything partuclarly sensitive that was exposed. Don't get me wrong, this was clearly an issue and props to Ars for discovering it, but I don't see how leaking someone's achievements amounts to leaking sensitive data. According the article personal info such as phone number, DOB, etc was never exposed.

On the other hand, I'm sure that this shortcutting (grabbing all the data from the database and then using javascript not to display it) is used in businesses where it would be much more important to keep the information secret. So, good job on you for bringing this to light and hopefully webmasters the world over take a chance to examine their source code.

Maybe I missed something, but I don't see anything partuclarly sensitive that was exposed. Don't get me wrong, this was clearly an issue and props to Ars for discovering it, but I don't see how leaking someone's achievements amounts to leaking sensitive data. According the article personal info such as phone number, DOB, etc was never exposed.

Because if someone is setting their profile to "private" then they have explicitly indicated that they don't want the world to know.

It's not up to you to evaluate if their reason for not wanting the world to know is "good enough" it's sufficient that they indicated "I don't want the world to know".

Then, to expose that information anyway does in fact expose sensitive information because the original user declared it sensitive.

Maybe I missed something, but I don't see anything partuclarly sensitive that was exposed. Don't get me wrong, this was clearly an issue and props to Ars for discovering it, but I don't see how leaking someone's achievements amounts to leaking sensitive data. According the article personal info such as phone number, DOB, etc was never exposed.

Because if someone is setting their profile to "private" then they have explicitly indicated that they don't want the world to know.

It's not up to you to evaluate if their reason for not wanting the world to know is "good enough" it's sufficient that they indicated "I don't want the world to know".

Then, to expose that information anyway does in fact expose sensitive information because the original user declared it sensitive.

What Dracorat said, a million times over.

Also, it's a matter of delivering what is promised. If Valve decided that there wasn't any need to hide the information, then they shouldn't even allow the option of private accounts. As soon as they, they need to deliver on their promise to keep your information protected. "I didn't think it was sensitive" is not a valid excuse for failing to deliver what they said they would.

I don't disagree, like I said it needed to befixed. Kudos also on the responsible disclosure. However if the article's title was all you had and there was no article to read I think most would assume something far more sinister.

Maybe I missed something, but I don't see anything partuclarly sensitive that was exposed. Don't get me wrong, this was clearly an issue and props to Ars for discovering it, but I don't see how leaking someone's achievements amounts to leaking sensitive data. According the article personal info such as phone number, DOB, etc was never exposed.

So, let's say, your profile reveals that you got an achievement playing some game at 3 pm on a Thursday afternoon...i.e. when you should have been working.

Also, this could be interesting information to start a phishing attempt.

Sure, in the grand scheme of things, the number of scenarios where somebody could actually get burnt by this is pretty small, but it's still the principle. If I mark it as private, then it should be private.

Maybe I missed something, but I don't see anything partuclarly sensitive that was exposed. Don't get me wrong, this was clearly an issue and props to Ars for discovering it, but I don't see how leaking someone's achievements amounts to leaking sensitive data. According the article personal info such as phone number, DOB, etc was never exposed.

A list of games could tell a criminal how valuable an account is and then target that account to be stolen.

WTF with using a client side solution and related check that should be handled entirely server side? I don't know if that qualifies as lazy, stupid, or both.

Probably both.

Not only is it ridiculously poor practice, but it's also sending more data down than is needed... sure, it's text, but it's still not exactly optimal.

That's before we get to the lack of server side checks on the various urls. WTF people, client side is only for UI purposes, you SERVER VALIDATE EVERYTHING that has any flow/access logic associated with it, never trust anything originating from the client side regardless of what you have set up for validation/etc. Never send data to a client unless it's meant to be seen. hurp-a-derp-a-derp?

Maybe it's "just" related to user privacy and "just" showing details about games played, but it's still a pretty gaping mistake to make that's a bit worrisome.

As to why people might not want these things visible, one thing that immediately comes to mind is prejudicial treatment in hiring processes by some employers in regards to finding out you spend however much time you do playing games (which is ridiculous for other reasons, but it does happen apparently). Some people's steam profiles are trivially easy to figure out due to re-use of the same handle elsewhere that's linked directly to their real name.

Nice job! The headline "html holes" had me scared though. I rushed to read the content if there was some type of html hole that should make me verify my own web developments. It turned out to be some site development deficiency rather than a technologic deficiency.

Nice job! The headline "html holes" had me scared though. I rushed to read the content if there was dome type of html hole that should make me verify my own web developments. It turned out to be some site development deficiency rather than a technologic deficiency.

totally OT, but I had to read this five times before it clicked that it was a typo of "some" and not "DOM"

In a legal context (IE if someone was suing them) then sensitive has some specific meanings to determine compliance with Electronic Information Privacy acts in order to determine whether a criminal act was committed.

However, the bar for whether a civil suit has merit is usually "was there measurable harm" and one has to argue that when you give people the ability to hide their personal information, that those people can attach a value to that information and to the loss of that information therewith. Furthermore, if the loss of that information resulted in other types of harm, such as the loss of employment or reasonable loss to a carefully crafted financial fraud attempt, then the potential for harm is even more. Multiply by the number of potentially affected users and you could have a fiasco on your hands.

Considering that, hypothetical as it may be, the use of the word "sensitive" has merit.

Nice job! The headline "html holes" had me scared though. I rushed to read the content if there was dome type of html hole that should make me verify my own web developments. It turned out to be some site development deficiency rather than a technologic deficiency.

We have limited space in our headlines, so it was the best way I could think of to describe the nature of the URL and HTML source based hole.

No, I have that enabled and that wasn't it. I opened up Steam (the application) and this little dialog box appeared asking me to verify that my [current e-mail address] was still being used. In all my years of using Steam, I've never had that happen.

On the other hand, I'm sure that this shortcutting (grabbing all the data from the database and then using javascript not to display it) is used in businesses where it would be much more important to keep the information secret. So, good job on you for bringing this to light and hopefully webmasters the world over take a chance to examine their source code.

There are developers out there who actually think like this? Holy crap!

I work in a research lab (of the basic science variety) developing performance-critical code that operates on terabytes upon terabytes of data. Maybe I'm a little out of touch with front-end web development (I haven't done it since co-op in my second year of undergrad), but that sounds like a huge waste of resources. Why not just fetch what you need from the database, instead of fetching everything and then filtering it out?

On the other hand, I'm sure that this shortcutting (grabbing all the data from the database and then using javascript not to display it) is used in businesses where it would be much more important to keep the information secret. So, good job on you for bringing this to light and hopefully webmasters the world over take a chance to examine their source code.

There are developers out there who actually think like this? Holy crap!

I work in a research lab (of the basic science variety) developing performance-critical code that operates on terabytes upon terabytes of data. Maybe I'm a little out of touch with front-end web development (I haven't done it since co-op in my second year of undergrad), but that sounds like a huge waste of resources. Why not just fetch what you need from the database, instead of fetching everything and then filtering it out?

When your performance bottleneck is human activity, it's easy to write something stupid, lazy, and inefficient because it requires less effort than learning how to use a DB correctly and since it's not causing performance problems being called on it isn't likely to happen right away.

I'd really appreciate it if Ars didn't post such obvious lies. We all know that, when one points out a security hole to a company, the appropriate response is to run in circles, scream and shout, and sue the person who nicely provided you the data. They don't actually fix the hole! What do you think we are? Simpletons?!

I'd really appreciate it if Ars didn't post such obvious lies. We all know that, when one points out a security hole to a company, the appropriate response is to run in circles, scream and shout, and sue the person who nicely provided you the data. They don't actually fix the hole! What do you think we are? Simpletons?!

Quick, someone register a throwaway account to ask Kyle why he was really looking at the source code!

Maybe I missed something, but I don't see anything partuclarly sensitive that was exposed. Don't get me wrong, this was clearly an issue and props to Ars for discovering it, but I don't see how leaking someone's achievements amounts to leaking sensitive data. According the article personal info such as phone number, DOB, etc was never exposed.

Clearly it's sensitive enough that it was *intended* to be hidden in a private profile, and some felt the need to set their profiles to private. So this may not be sensitive to you, but it might be to some people.

I can imagine how for example certain people who do a lot of trading might feel like this data being exposed is like having your hand tipped in a poker game.

Kyle Orland / Kyle is the Senior Gaming Editor at Ars Technica, specializing in video game hardware and software. He has journalism and computer science degrees from University of Maryland. He is based in Pittsburgh, PA.